Security News > 2022 > May > Microsoft Mitigates RCE Vulnerability Affecting Azure Synapse and Data Factory
Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution.
"The vulnerability was specific to the third-party Open Database Connectivity driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime and did not impact Azure Synapse as a whole," the company said.
In other words, a malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant's Integration Runtimes to gain access to sensitive information, effectively breaking tenant separation protections.
That said, the Redmond-based company has shared Microsoft Defender for Endpoint and Microsoft Defender Antivirus detections to protect customers from potential exploitation, adding it's working to bolster the security of third-party data connectors by working with driver vendors.
The findings come a little over two months after Microsoft remediated an "AutoWarp" flaw impacting its Azure Automation service that could have permitted unauthorized access to other Azure customer accounts and take over control.
Last month, Microsoft also resolved a pair of issues - dubbed "ExtraReplica" - with the Azure Database for PostgreSQL Flexible Server that could result in unapproved cross-account database access in a region.
News URL
https://thehackernews.com/2022/05/microsoft-mitigates-rce-vulnerability.html
Related news
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Microsoft warns Azure Virtual Desktop users of black screen issues (source)
- Microsoft SharePoint RCE bug exploited to breach corporate network (source)
- Palo Alto Networks warns of potential PAN-OS RCE vulnerability (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- HubSpot phishing targets 20,000 Microsoft Azure accounts (source)